Potao Trojan Served Up by Russian TrueCrypt Site

The Win32/Potao malware family has been used for the past five years in covert targeted attacks against the Ukrainian government, served up on occasion by a trojanized Russian version of encryption software TrueCrypt, according to ESET.

The cybersecurity firm detailed its latest findings in a new report, Operation Potao Express.

In the early days Potao was spread via phishing emails in what seems to be a mass-distribution campaign likely used to test and debug the trojan.

From 2011 to 2013 activity was relatively infrequent, but in 2014 infections began to spike and so far this year there have been nearly 400 recorded detections, with the spike due to infection via USB drives, the report claimed.

Other attacks used spear-phishing with the popular Russian pyramid-selling scheme MMM as bait, whilst the malware was also detected in Georgia, in an emailed wedding invitation written in English.

Attacks against Ukrainian victims that began in earnest in 2014 were highly targeted.

Victims were sent an SMS – indicating the attackers knew their phone numbers – with a link to a fraudulent landing page masquerading as a postal service, along with their full name and a tracking number.

Only on entering these specific codes would the Potao trojan be downloaded, ESET said.

Since March this year, the security firm has seen an uptick in attacks against Ukrainian military and government targets, as well as a local news agency.

“The infection vector used in these attack waves was again an executable with a MS Word document icon and this time cleverly chosen filenames to increase the likelihood that the recipient would open the bait,” the report explained.

The attackers also used a trojanized Russian version of the popular encryption software TrueCrypt to spread the Potao malware, downloaded from the truecryptrussia.ru website.

ESET continued:

“Note, however, that not every download of the TrueCrypt software from the Russian website is malicious or contains a backdoor. The malicious versions of the software are served only to selected visitors, based on unknown specific criteria. This lends additional evidence to the view that the operation is run by a professional gang that selectively targets their espionage victims.”

The report declines to attribute the attacks, although given the large number of Ukrainian military and government victims, the smart money would be on Russian involvement.